Statement in Where-Clause are not wrapped in brackets anymore

[LinkingYou]

There is a critical change in doctrine/orm since version 2.8.3.

Here is simple example for a query with multiple where expressions:

$qb = $em->createQueryBuilder()
            ->from(Customer::class, 'customer')
            ->select('customer')
            ->andWhere('customer.active = true')
            ->andWhere('customer.firstName like ?1 or customer.lastName like ?1')
            ->setParameter(1, '%' . $searchitem . '%')
        ;

In Version 2.8.2 this results in:

SELECT c0_.id AS id_0, c0_.first_name AS first_name_1, c0_.last_name AS last_name_2, c0_.active AS active_3 FROM customer c0_ WHERE c0_.active = 1 AND (c0_.first_name LIKE ? OR c0_.last_name LIKE ?)

... but now in version 2.8.3 i get this:

SELECT c0_.id AS id_0, c0_.first_name AS first_name_1, c0_.last_name AS last_name_2, c0_.active AS active_3 FROM customer c0_ WHERE c0_.active = 1 AND c0_.first_name LIKE ? OR c0_.last_name LIKE ?

In my opinion this is very critical. This has led to security problems in several of my applications.

[beberlei]

Uh, will take a look

[beberlei]

Indeed, and its already fixed #8591 - i will release 2.8.4 immediately.